Researchers To Demonstrate Mobile VDI Hijacking Attack

Virtual workspace containers on mobile devices will be put to the test today when two researchers are expected to demonstrate an attack that can hijack a VDI session and work on Android or Apple iOS devices.

Researchers at Lacoon Mobile Security will exploit a malicious configuration profile attack that they said could be used in a targeted attack to remotely steal login credentials or other sensitive data.

"There are tools designed to do espionage on mobile devices that are sophisticated enough to identify weak points," said Michael Shaulov, co-founder and CEO of Lacoon Mobile Security. "They operate effectively and can compromise VDI or other mobile management solutions because they carry with them keyloggers and other components that affect those solutions."

Shaulov and Daniel Brodie, a senior researcher at Lacoon, will demonstrate the proof-of-concept attack today at the 2014 Black Hat USA Briefings in Las Vegas. The man-in-the-middle attack effectively hijacks the VDI session, Shaulov told CRN. The malicious app can perform screen scraping to exfiltrate data from the VDI session.

The researchers also will discuss mRAT keyloggers, a threat that has been used against Android devices to steal locally stored credentials.

Virtual desktop infrastructure is seen as a way to encapsulate corporate data in a virtual shell, but common configuration errors and software vulnerabilities provide a pathway to gain access to a session, and view sensitive data and retrieve account credentials, Shaulov said.

VDI should not be dismissed as a preventative layer, Shaulov said, estimating that about 3 percent of large Global 50 businesses are using VDI as a security control for mobile devices. VDI needs to be properly implemented and augmented with other security measures, he said.

Shaulov said Lacoon differentiates itself from other mobile security vendors by using analytics and analysis to identify zero-day malware on mobile devices. An agent monitors devices' configuration profiles, phony certificates and unusual network settings to uncover issues that could signal a security problem. If it suspects malicious activity, it can be set to prevent data theft by blocking network connections, Shaulov said.

Last month, Lacoon identified a security weakness in the Gmail app for iOS, finding that it lacked a component that prevents mobile apps from installing malicious configuration profiles. Without the protection, the mobile security vendor said a user can be easily tricked into installing the configuration changes, giving an attacker access to data by bypassing or turning off device security components.

Solution providers said their clients are increasingly concerned about mobile security threats, driven mainly by news of attacks that could target Android devices. The biggest concern is lost and stolen devices, said David Wrenn, vice president of sales at Branford, Conn.-based solution provider Advanced Office Systems. Business owners want to protect data from being exposed if a device is lost or stolen, he said, in a recent interview.

"Even if there is hype around some of the attacks, it is something that will very likely pose an even bigger concern in the future," Wrenn said.